Tools for compliance with CRA requirements and obligations

Deliverables:

• Tools to simplify and automate CRA compliance, with particular focus towards automated compliance tools that would ensure alignment with the CRA cybersecurity essential requirements.
• Tools to simplify and automate CRA compliance documentation obligations.

The objective of this topic is to support the implementation of the proposed Cyber Resilience Act (CRA) through tools that support, and where possible automate, internal compliance procedures, including testing and specification drafting with focus towards European SMEs, in particular micro and small enterprises.

This action aims at the design and development of tools to facilitate, and where possible automate, CRA compliance, with particular focus towards automated compliance tools that would ensure alignment with the CRA cybersecurity essential requirements and documentation obligations.

CRA compliance solutions are foreseen based on technical specifications, training modules, and other relevant material. Tools for penetration testing, testing facilities and other cybersecurity practices, aligning with CRA requirements, are also in the scope.

Tools should be tailored towards needs of European SMEs, with a focus on micro and small enterprises, though also usable by broader stakeholder categories, such as:

• Manufacturers of relevant product categories falling within the scope of the CRA, including software developers.
• Others, such as distributors, importers, open-source community, etc.

CRA compliance tools should be made widely available on fair and reasonable terms and also take into consideration the specific needs of different stakeholders such as the behaviour of consumers, business users, and other relevant factors.

Priority should be given to solutions available to use free of charge or free and open-source software (FOSS) solutions.

These activities should be carried out in close coordination and, where possible collaboration, with the Network of National Coordination Centres (NCCs), the European Digital Innovation Hubs (EDIHs) network, the EU Cybersecurity Skills Academy, other relevant European and National cybersecurity entities, and other projects of this work programme.

This action aims at the creation of tools that, amongst others, do penetration testing or document technical specifications with relation to cybersecurity, including for entities that are providers of essential services and critical infrastructures. As such tools and information could be exploited by malicious actors, they must be protected against possible dependencies and vulnerabilities in cybersecurity to pre-empt foreign influence and control. As previously noted, participation of non-EU entities entails the risk of highly sensitive information about security infrastructure, risks and incidents being subject to legislation or pressure that obliges those non-EU entities to disclose this information to non-EU governments, with an unpredictable security risk. Therefore, based on the outlined security reasons, the actions relating to these technologies are subject to Article 12(5) of Regulation (EU) 2021/694.